OpenRTB Responds to Industry Security Threat

12.11.15

By
Melissa Gallo

Today’s world of technology has lead to amazing advancements in how brands are able to reach consumers through digital advertising. While publishers now have access to expanded sources of revenue and brands are able to use data to target users more precisely, criminal threats exist and the industry has responded by establishing programs to introduce transparency and healthy business practices, principally the Trustworthy Accountability Group. However, we must remain vigilant on all fronts, as we were reminded earlier this month when a botnet optimized its standard attack with delayed win notifications in order to extract more money from buyers than would have previously been achievable.

The botnet, dubbed “Xindi”, affects certain implementations of OpenRTB by caching multiple ad impressions for an extended period, then quickly replaying them triggering multiple win notifications and/or billing events each belonging to a unique auction. For those companies affected by Xindi, the bot has had impact on billing, pacing, and business logic.

The IAB Tech Lab, OpenRTB Working Group, Co-Chairs, and other industry leaders quickly turned into action to develop a security advisory to give specific guidance on how to handle this particular issue. Among the suggested recommendations are:

● Increased detection and filtering for both bidders and exchanges. Includes a recommendations for impression scoring and filtering of inventory that appears to be illegitimate.
● A “penalty box” for bidders which monitors bid requests where the unique signature per unit time is excessive.
● Implementation of a win notice timeout when the win notice exceeds a certain threshold.

In the drive to automate, our industry has provided great opportunities of scale to many participants, including fraudsters. IAB Tech Lab’s work on protocols and guidelines includes growing guidance on reasonable techniques for promoting a healthy and safe industry that naturally resists and exposes fraud. This work, along with industry-wide pressure to fully deploy protocols and achieve certification to that effect, will help protect individual participants and the industry at large from exploitation.